From ae8b7a0f1a5cf569f52f35fc1f113d0c4f354f6e Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Wed, 14 Dec 2016 02:32:47 +0100
Subject: base64: Prevent use of strlen() in base64decode when input buffer
 size is known

---
 src/base64.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

(limited to 'src/base64.c')

diff --git a/src/base64.c b/src/base64.c
index 1595bd0..7870a79 100644
--- a/src/base64.c
+++ b/src/base64.c
@@ -105,22 +105,23 @@ static int base64decode_block(unsigned char *target, const char *data, size_t da
 
 unsigned char *base64decode(const char *buf, size_t *size)
 {
-	if (!buf) return NULL;
-	size_t len = strlen(buf);
+	if (!buf || !size) return NULL;
+	size_t len = (*size > 0) ? *size : strlen(buf);
 	if (len <= 0) return NULL;
 	unsigned char *outbuf = (unsigned char*)malloc((len/4)*3+3);
 	const char *ptr = buf;
 	int p = 0;
+	size_t l = 0;
 
 	do {
 		ptr += strspn(ptr, "\r\n\t ");
-		if (*ptr == '\0') {
+		if (*ptr == '\0' || ptr >= buf+len) {
 			break;
 		}
-		len = strcspn(ptr, "\r\n\t ");
-		if (len > 3) {
-			p+=base64decode_block(outbuf+p, ptr, len);
-			ptr += len;
+		l = strcspn(ptr, "\r\n\t ");
+		if (l > 3 && ptr+l <= buf+len) {
+			p+=base64decode_block(outbuf+p, ptr, l);
+			ptr += l;
 		} else {
 			break;
 		}
-- 
cgit v1.1-32-gdbae